> > On 18-Aug-2004 Mike Tancsa wrote: >> As I have no crypto background to evaluate some of the (potentially >> wild >> and erroneous) claims being made in the popular press* (eg >> http://news.com.com/2100-1002_3-5313655.html see quote below), one >> thing >> that comes to mind is the safety of ports. If someone can pad an >> archive >> to come up with the same MD5 hash, this would challenge the security >> of >> the FreeBSD ports system no ? > > I _believe_ answer is "no", because i _think_ the FreeBSD ports system > also > verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to > see > what made me think that). > > Padding would modify archive size. Finding a backdoored version that > both > satisfy producing the same hash and being the same size is probably not > impossible, but how many years would it take ? > > > Now, i may be wrong. Any enlightement welcome. > > -- > Guy > _______________________________________________ > Why not adopt the OpenBSD method for ports. OpenBSD supplies 3 hash/digests for downloaded binaries and sources. Those OpenBSD guys leave nothing to chance. ports/databases/postgresql] scott% cat distinfo MD5 (postgresql-7.3.5.tar.gz) = ef2751173050b97fad8592ce23525ddf RMD160 (postgresql-7.3.5.tar.gz) = 83d5f713d7bfcf3ca57fb2bcc88d052982911d73 SHA1 (postgresql-7.3.5.tar.gz) = fbdab6ce38008a0e741f8b75e3b57633a36ff5ff Thanks, -- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"